NEW Zimbra Patches: 8.8.12 Patch 1 + 8.8.11 Patch 4 + 8.8.10 Patch 8 + 8.8.9 Patch 10 + 8.7.11 Patch 11 + 8.6.0 Patch 14

Hello Zimbra Friends, Customers & Partners,

We have six new patches to announce:

  • Zimbra 8.8.12 “Isaac Newton” Patch 1
  • Zimbra 8.8.11 “Homi Bhabha” Patch 4
  • Zimbra 8.8.10 “Konrad Zuse” Patch 8
  • Zimbra 8.8.9 “Curie” Patch 10
  • Zimbra 8.7.11 Patch 11
  • Zimbra 8.6.0 Patch 14

For Zimbra 8.8.8 and above, you don’t need to download any patch builds. The patch packages can be installed using Linux package management commands. Please refer to the respective release notes for patch installation on Red Hat and Ubuntu platforms.

Note: Installing a zimbra-patch package only updates the Zimbra core packages.

Zimbra 8.8.12 “Isaac Newton” Patch 1

Patch 1 is here for the Zimbra 8.8.12 “Isaac Newton” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.12 Patch 1 installation on Red Hat and Ubuntu platforms.

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109117 Persistent XSS – Drive [CWE-79] 3.5 Minor 8.8.12 Patch 1

Fixed Issues

After an upgrade to 8.8.12, IMAP users are unable to access folders with names containing non-ASCII characters. This is fixed in 8.8.12 P1.

Zimbra 8.8.11 “Homi Bhabha” Patch 4

Patch 4 is here for the Zimbra 8.8.11 “Homi Bhabha” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.11 Patch 4 installation on Redhat and Ubuntu platforms.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.8.11 Patch 4
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.8.11 Patch 4

Fixed Issues

Fixed the CPU usage spike observed when viewing mails.

Zimbra 8.8.10 “Konrad Zuse” Patch 8

Patch 8 is here for the Zimbra 8.8.10 “Konrad Zuse” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.10 Patch 8 installation on Red Hat and Ubuntu platforms.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.8.10 Patch 8
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.8.10 Patch 8

Fixed Issues

Fixed the CPU usage spike observed when viewing mails.

Zimbra 8.8.9 “Curie” Patch 10

Patch 10 is here for the Zimbra 8.8.9 “Curie” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.9 Patch 10 installation on Red Hat and Ubuntu platforms.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109097 Insecure object deserialization – IMAP [CWE-502] CVE-2019-6980 5.4 Major 8.8.9 Patch 10
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.8.9 Patch 10
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.8.9 Patch 10

Zimbra 8.7.11 Patch 11

Patch 11 is here for the Zimbra 8.7.11 GA release, and it includes fixes as listed in the release notes.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.7.11 Patch 11
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.7.11 Patch 11

Fixed Issues

Fixed session time out when deleting mails.
Fixed the CPU usage spike observed when viewing mails.

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for 8.7.11 Patch 11 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.

Zimbra 8.6.0 Patch 14

Patch 14 is here for the Zimbra 8.6.0 GA release, and it includes fixes as listed in the release notes.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109097 Insecure object deserialization – IMAP [CWE-502] CVE-2019-6980 5.4 Major 8.6.0 Patch 14
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.6.0 Patch 14
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.6.0 Patch 14

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for Zimbra 8.6.0 Patch 14 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.

Thank you,
Your Zimbra Team

No comments yet.

Leave a Reply